Hello Serg! 2015-10-25 20:38 GMT+02:00 Sergei Golubchik <serg@mariadb.org>:
On Oct 25, Christian Rebischke wrote:
Hello, Sorry for disturbing again. On your security page https://mariadb.com/kb/en/mariadb/security/ are the following CVE's missing: ... I am not sure if mariadb is affected by them or not. Would be awesome if you could add them at the right section :-)
Not affected, that's why they aren't listed. The security page lists all CVEs that affected MariaDB and the version when they were fixed. CVEs that never affected us are not listed.
CVE-2015-4910
It's for memcached plugin, we don't have it.
CVE-2015-4905 CVE-2015-4904 CVE-2015-4895 CVE-2015-4862 CVE-2015-4833 CVE-2015-4800 CVE-2015-4791 CVE-2015-4766
They're all for MySQL-5.6, for the code that we don't have. MySQL-5.5 was the last version when we merged everything from MySQL. That is, MariaDB is based on MySQL-5.5 codebase, we only merge InnoDB and Performance Schema from 5.6.
It would be nice if the page https://mariadb.com/kb/en/mariadb/security/ also had a section that was explicit about that Oracle CVEs do _not_ affect MariaDB, because I am sure many people wonder on how what the status might be for non-listed CVEs. ..wait, it does indeed have the section "CVE's affecting Oracle MySQL" at the very end. Can you please update it? . The Debian security tracker https://security-tracker.debian.org/tracker/source-package/mariadb-10.0 lists two CVEs as undetermined, can you say if CVE-2015-4737 and CVE-2015-2620 affect MariaDB 10.0 or not? - Otto